Merge pull request #180 from actions/enterprise-docs

Adding instructions for installing in GHES
This commit is contained in:
Federico Builes
2022-08-03 17:28:05 +02:00
committed by GitHub
+31 -3
View File
@@ -9,6 +9,8 @@ The action is available for all public repositories, as well as private reposito
## Installation
**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.**
1. Add a new YAML workflow to your `.github/workflows` folder:
```yaml
@@ -28,7 +30,32 @@ jobs:
uses: actions/dependency-review-action@v2
```
Please keep in mind that you need a GitHub Advanced Security license if you're running this action on private repos.
### GitHub Enterprise Server
This action is available in GHES starting with version 3.6. Make sure
[GitHub Advanced
Security](https://docs.github.com/en/enterprise-server@3.6/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)
and [GitHub
Connect](https://docs.github.com/en/enterprise-server@3.6/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)
are enabled.
You can use the same workflow as above, replacing the `runs-on` value
with the label of any of your runners (the default label
is `self-hosted`):
```yaml
# ...
jobs:
dependency-review:
runs-on: self-hosted
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v2
```
## Configuration
You can pass additional options to the Dependency Review
@@ -52,7 +79,7 @@ jobs:
# Possible values: "critical", "high", "moderate", "low"
# fail-on-severity: critical
#
# You can only include one of these two options: `allow-licenses` and `deny-licenses`
# You can only include one of these two options: `allow-licenses` and `deny-licenses`. These options are not supported on GHES.
#
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
# allow-licenses: GPL-3.0, BSD-3-Clause, MIT
@@ -82,7 +109,7 @@ This example will only fail on pull requests with `critical` and `high` vulnerab
You can set the action to fail on pull requests based on the licenses of the dependencies
they introduce. With `allow-licenses` you can define the list of licenses
your repository will accept. Alternatively, you can use `deny-licenses` to only
forbid a subset of licenses.
forbid a subset of licenses. These options are not supported on GHES.
You can use the [Licenses
API](https://docs.github.com/en/rest/licenses) to see the full list of
@@ -107,6 +134,7 @@ to filter. A couple of examples:
**Important**
* Checking for licenses is not supported on GHES.
* The action will only accept one of the two parameters; an error will
be raised if you provide both.
* By default both parameters are empty (no license checking is